CN113596028A - Method and device for handling network abnormal behaviors - Google Patents

Method and device for handling network abnormal behaviors Download PDF

Info

Publication number
CN113596028A
CN113596028A CN202110861793.6A CN202110861793A CN113596028A CN 113596028 A CN113596028 A CN 113596028A CN 202110861793 A CN202110861793 A CN 202110861793A CN 113596028 A CN113596028 A CN 113596028A
Authority
CN
China
Prior art keywords
matching
early warning
key information
source
network abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110861793.6A
Other languages
Chinese (zh)
Other versions
CN113596028B (en
Inventor
葛国栋
李泽科
魏兴慎
吴超
张勃
王海清
高鹏
马增洲
曹永健
杨维永
刘苇
朱世顺
陈泽文
徐志光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Fujian Electric Power Co Ltd
NARI Group Corp
Nari Information and Communication Technology Co
Original Assignee
State Grid Fujian Electric Power Co Ltd
NARI Group Corp
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Fujian Electric Power Co Ltd, NARI Group Corp, Nari Information and Communication Technology Co filed Critical State Grid Fujian Electric Power Co Ltd
Priority to CN202110861793.6A priority Critical patent/CN113596028B/en
Publication of CN113596028A publication Critical patent/CN113596028A/en
Application granted granted Critical
Publication of CN113596028B publication Critical patent/CN113596028B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides a method and a device for handling network abnormal behaviors, wherein the method comprises the steps of extracting key information of untrusted network access behaviors from a safety early warning device log; matching the extracted key information according to a set network abnormal behavior matching rule, and identifying the network abnormal behavior; and issuing a defense strategy command aiming at the network abnormal behavior linkage safety defense equipment. According to the invention, the accurate matching rule can be flexibly set according to the safety protection requirement, and the accurate access control of the terminal equipment of the power internet of things is realized; the speed and the capability of network safety emergency response are improved while the human resources are saved.

Description

Method and device for handling network abnormal behaviors
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method and a device for handling network abnormal behaviors.
Background
The network abnormal behavior refers to that aiming at a computer information system, infrastructure, a computer network or personal computer equipment, the system and resources are attacked by using the loopholes and security defects existing in the network information system. For computers and computer networks, the act of destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without authorization is considered an anomaly in computers and computer networks.
The ways to defend against network abnormal behavior in daily work are various. In summary, monitoring personnel analyze, identify and judge untrusted network access behaviors of the safety monitoring and early warning equipment, use security defense equipment such as antivirus and blackout prevention to control thresholds of network communication in/out in two directions, set a targeted defense strategy aiming at discovered abnormal network behaviors, and ensure that suspicious behaviors cannot access an internal network, thereby effectively protecting the safety of the internal network.
The method for protecting the abnormal behavior has certain limitations, a large amount of untrusted network access behaviors are generated under the conditions of wide network areas and many safety early warning devices, more manpower is needed to analyze, judge and set the defense strategy, the time from the discovery of the abnormal behavior of the network to the setting of the targeted defense strategy is also longer, and the abnormal behavior of the network cannot be quickly and effectively responded in an emergency.
Disclosure of Invention
The invention aims to provide a method and a device for disposing network abnormal behaviors, which can automatically identify, analyze and dispose the processes from the discovery of the network abnormal behaviors to the disposal of security defense, and improve the speed and the capability of network security emergency response under the condition of saving manpower.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
one aspect of the present invention provides a method for handling network abnormal behavior, including:
extracting key information of the untrusted network access behavior from a safety early warning device log;
matching the extracted key information according to a set network abnormal behavior matching rule, and identifying the network abnormal behavior;
and issuing a defense strategy command aiming at the network abnormal behavior linkage safety defense equipment.
Further, the extracting key information of the untrusted network access behavior from the log of the security early warning device includes:
collecting a safety early warning device log;
identifying network access behavior data in the log which is judged to be untrusted;
extracting key information from untrusted network access behavior data, wherein the key information comprises at least: source IP, destination IP, attack mode, early warning level, attack result and attack time.
Furthermore, the method also comprises the following steps of,
merging key information of a homologous IP, a same-purpose IP and a same attack mode into one piece of data within set time;
converting digital indexes of attack modes, early warning levels and attack results in the key information into specific character contents, converting attack time into a character time format, and inquiring a local IP home location library according to a source IP to obtain a source IP home location;
storing the key information after format conversion in a relational database, wherein the network access behavior key information in an untreated state is stored in an early warning database.
Further, the matching the extracted key information includes:
scanning an early warning database, and matching the network access behavior key information in the non-processing state according to a preset network abnormal behavior matching rule;
and for the key information successfully matched, judging that the corresponding network access behavior is the network abnormal behavior.
Further, the network abnormal behavior matching rule includes:
rule one is as follows: matching the attack result in the key information with the access result of the early warning data of the safety equipment, and if the attack result is consistent with the access result of the early warning data of the safety equipment, successfully matching;
rule two: matching and judging source IPs in the key information, and if the key information source IPs are monitored by more than a preset number of safety early warning devices within a set time range and are not trusted, successfully matching;
rule three: matching and judging a source IP in the key information, and if the number of times of the untrusted network access behaviors of the key information source IP monitored by the current safety early warning equipment in a set time range exceeds a preset threshold value, successfully matching;
rule four: matching and judging the early warning levels in the key information, and if the early warning levels are within a preset early warning level range, the matching is successful;
rule five: matching and judging the source IP in the key information, judging whether the source IP is an overseas IP alarm or not, and if so, successfully matching;
rule six: and matching and judging the source IP in the key information, inquiring the level of the source IP intelligence through an intelligence center, and if the level of the intelligence is within the range of the preset level of the intelligence, successfully matching.
Furthermore, the set network abnormal behavior matching rule is at least one of the six rules,
and in the rule matching process, matching is performed according to the rule I to the rule VI in sequence.
Further, the issuing of the defense strategy command for the network abnormal behavior linkage security defense device includes:
acquiring the type of safety defense equipment needing linkage according to the type of early warning equipment to which the network abnormal behavior belongs, wherein the network attack early warning equipment is in data linkage with safety access control equipment, and the terminal is accessed into the early warning equipment and is in data linkage with the early warning equipment;
retrieving a strategy forbidden record data table of security defense equipment needing linkage in a MySQL database;
establishing a strategy command according to the data records acquired from the strategy forbidden record data table;
and acquiring the information of the security defense equipment, remotely linking the security defense equipment, and issuing a built strategy command.
Further, in the above-mentioned case,
if the security defense equipment needing linkage is security access control equipment, acquiring the number of the latest defense strategy source address objects, the object group names and the number of the IP in the group from the strategy forbidden record data table; and if the security defense equipment needing linkage is terminal access early warning equipment, acquiring a terminal access certificate from the strategy forbidden recording data table.
Furthermore, the method also comprises the following steps of,
judging whether the number of the IP in the current object group reaches a threshold value or not according to the number of the source address objects, the object group names and the number of the IP in the group of the latest defense strategy, if not, putting the source IP needing to be sealed into the current latest object group when a strategy command is established; if so, an object group is required to be newly built, whether the number of the object groups of the source address reaches a threshold value is judged, if so, a policy is required to be newly built, the newly built object group is put into the newly built policy source address, and if not, the newly built object group is put into the current policy source address.
Furthermore, the method also comprises the following steps of,
recording the source IP which has issued the defense strategy, and respectively storing the source IP in a relational database and a cache; the relational database stores a source IP, a security defense device IP, a strategy name, an object group name and time; the cache library stores the processing state of the network abnormal access behavior source IP, and when the network abnormal access behavior of the same source IP is detected again, repeated judgment and processing are not needed.
Another aspect of the present invention provides an apparatus for handling network abnormal behavior, including:
the acquisition module is used for extracting key information of the untrusted network access behavior from the safety early warning device log;
the rule module is used for matching the extracted key information according to a set network abnormal behavior matching rule and identifying the network abnormal behavior;
and the number of the first and second groups,
and the linkage module is used for linking the security defense equipment according to the abnormal network behavior and issuing a defense strategy command.
Furthermore, the method also comprises the following steps of,
and the recording module is used for recording the IP (Internet protocol) of the network abnormal behavior source which has issued the defense strategy and the disposal state.
Compared with the prior network security protection method, the invention has the advantages that:
according to the invention, the log data of all safety early warning devices are collected, so that the manpower requirement for monitoring various safety early warning devices is saved; according to the set rule, the network abnormal access is quickly analyzed and identified, so that the time for analyzing and judging the network abnormal behavior manually is saved; the security defense equipment is linked, and a targeted defense strategy is set, so that the time for performing strategy operation on the security defense equipment by manpower is saved, and the possibility of wrong strategy setting by workers is prevented. The invention saves the requirement of monitoring the abnormal behavior of the network by manpower, improves the emergency response speed of the abnormal behavior of the security, and ensures the security and the stability of the internal network.
Drawings
Fig. 1 is a flowchart illustrating a method for handling network abnormal behavior according to an embodiment of the present invention.
Fig. 2 is a flow chart of processing early warning log data according to an embodiment of the present invention.
Fig. 3 is a flow chart of linkage firewall policy issuing in the embodiment of the present invention.
Detailed Description
The invention is further described below. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
One embodiment of the present invention provides a method for handling network abnormal behavior, which, referring to fig. 1, includes:
extracting key information of the untrusted network access behavior from a log of the safety early warning equipment;
matching the extracted key information according to a preset network abnormal behavior matching rule, and identifying the network abnormal behavior;
and issuing a defense strategy command aiming at the network abnormal behavior linkage safety defense equipment.
In the embodiment of the present invention, extracting key information of an untrusted network access behavior from a log of a security early warning device, referring to fig. 2, includes:
collecting logs of safety early warning equipment;
identifying network access behavior data which is judged to be untrusted by the safety early warning equipment in the log;
and extracting key information fields from the untrusted network access behavior data, wherein the key information fields comprise data such as source IP, target IP, attack mode, early warning level, attack result, attack time and the like.
As shown in fig. 2, further comprising performing deduplication, format conversion and database persistence on the key information data,
the data deduplication is performed according to the triples, namely, the same early warning source, the same source IP, the same destination IP and the same attack mode are merged into one piece of data within 10 minutes.
The data format conversion is to convert digital indexes of fields such as attack mode, early warning level, attack result and the like in the key information data into specific character content, convert an attack timestamp into a character time format, and query a local IP home location library by the source IP to obtain a source IP home location.
The persistence of the data after format conversion means that the data is stored in a relational database, wherein the network access behavior data in an untreated state is stored in an early warning database, so that the scanning and matching of the network abnormal behavior rules are facilitated. The handling state determination means that a handling state is set for a handling network access behavior and an unhandled state is set for an unhandled network abnormal behavior. In the embodiment of the present invention, matching the extracted key information according to a preset matching rule of the network abnormal behavior to identify the network abnormal behavior includes:
scanning an early warning database, carrying out early warning on the latest network access behavior and carrying out rule matching on the data which are not processed in the processing state according to a preset network abnormal behavior matching rule;
and regarding the data successfully matched, the network access behavior is considered to be abnormal.
Wherein, the total six of network abnormal behavior matching rules that predetermine, set for corresponding matching rule according to the safety protection rank, include:
rule one is as follows: matching the network abnormal behavior alarm result; namely, the access result of the early warning data of the security device, if the attack is set to be successful, the early warning data with the access result of attack success in all the early warning data is successfully matched.
Rule two: the rule has two key factors, namely a time range and the number of devices, if 5 minutes and 2 devices are set, the rule indicates that if 2 or more security early warning devices monitor abnormal behaviors of the access source IP within the period from the current time to 5 minutes, the rule is successfully matched, and the network access behavior can be determined to be abnormal. Therefore, the larger the time range setting is, the smaller the equipment number setting is, the easier the matching is successful, and the more sensitive the rule is.
Rule three: and matching the source IP exceeding a threshold set by the safety early warning equipment within a certain time range. The matching rule has two key factors, namely a time range and a threshold value, if the time range and the threshold value are set for 10 minutes and 3 times, the rule indicates that if the early warning equipment monitors the source IP abnormal behavior for 3 times or more in the current early warning equipment within the time range from the current time to 10 minutes, the rule is successfully matched, and the network access behavior can be determined to be abnormal. Therefore, the larger the time range setting is, the smaller the threshold setting is, the easier the matching is successful, and the more sensitive the rule is.
Rule four: and matching the alarm level of the network abnormal behavior early warning. There are generally 3 levels of alarms, high risk, medium risk and low level, respectively. The rules can set "high risk", "high risk and medium risk" and "high risk, medium risk and low risk". Because the alarm levels are only three levels of high, medium and low, the setting of high risk, medium risk and low risk is actually that all the early alarms of the current safety early-warning equipment can be successfully matched.
Rule five: and whether the matched source IP is the overseas IP alarm or not. Foreign IP includes both foreign and port and australian area IP, i.e. matching source IP attribution.
Rule six: the intelligence center queries the source IP intelligence. The intelligence center classifies the intelligence level of the IP as dangerous, high-dangerous, medium-dangerous, low-dangerous and unknown. The rules "danger", "danger and high danger", "danger, high danger and medium danger" and "danger, high danger, medium danger and low danger" can be set.
The setting of the matching rules of the abnormal network behaviors can simultaneously set six rules, and also can set several of the rules, wherein the rules are not set, and the matching cannot be carried out. The six rules are matched in sequence from one to six in the matching process, if one rule is successfully matched, the subsequent rules are not matched any more, and the network access behavior is directly determined to be abnormal.
In the embodiment of the present invention, a defense strategy command is issued for a network abnormal behavior linkage security defense device, which is shown in fig. 3 and includes:
and acquiring the type of safety defense equipment needing linkage according to the type of the early warning equipment (including network attack early warning equipment and terminal access early warning equipment) to which the abnormal behavior of the network belongs, wherein the network attack early warning equipment is in data linkage with safety access control equipment, and the terminal access early warning equipment is in data linkage with terminal access early warning equipment.
Retrieving data of the linkage equipment in a policy block record data table of a MySQL database, wherein the data is security access control equipment such as a firewall, and the number of the latest defense policy source address object groups, the names of the object groups and the number of the IP in the groups are required to be acquired from the policy block record data table; if the terminal is accessed to the early warning device, such as a security access gateway, the terminal access certificate needs to be acquired.
And constructing and issuing a blocking strategy command according to the data record acquired from the 'blocking record data table' of the MySQL database.
The security access control device generally refers to a firewall device, and a firewall device creation policy generally includes two steps: (1) creating an object group; (2) and creating a blocking strategy and placing the object group into the source address of the strategy. The first step of creating the object group is to create a group, and to put the IP addresses to be sealed into the group, wherein the number of the stored IP addresses in the address group has a threshold value, namely, the number of the IP addresses can be stored at most, and new IP addresses cannot be stored continuously when the number exceeds the threshold value; the second step is to create a strategy, the firewall device strategy creation mainly comprises key factors such as a source domain, a destination domain, a source address, a destination address, service (ports and the like), action, effective date and the like, when the block strategy is automatically created, except that the source address is changed and is also threshold (at most, how many object groups can be stored), other default values are used, for example, the default values of the source domain and the destination domain are 'ANY', which represents the inside and outside two-way access; the destination address, service default is "ANY", indicating all IP and services accessing the internal network; the action default value of "Deny" represents packet loss, namely, a blocking action, the time is generally defaulted to 3 months, and the strategy fails after the time.
The terminal access early warning device generally refers to a security access gateway device, and the security access gateway device only needs to assemble the IP of the terminal, the certificate of the terminal (a data certificate for proving terminal uniqueness), the strategy action into array data, call a security access gateway to create a strategy interface, and transfer the array data to perform strategy creation.
And acquiring security defense equipment information from a security equipment information table of the MySQL database, remotely linking the security defense equipment, transmitting the established strategy command, and generating an effective defense strategy. The security defense equipment information comprises an equipment IP, an equipment account, an equipment password and an SSH login port, and the SSH access authority of the equipment needs to be opened. The equipment password information is stored in a MySQL database safety equipment information table in an encrypted manner, and when the safety defense equipment is linked remotely, the encrypted password is obtained from the table for decryption, and then the encrypted password is simulated to log in the equipment.
Referring to fig. 3, it is further included to determine whether the number of IP addresses in the object group and the object group of the source address in the security access control device policy reaches a threshold. Judging whether the current object group reaches a threshold value, if not, when a strategy command is established, only a source IP address needing to be blocked is needed to be added in the latest object group, namely a host add command is used; if the component policy command is reached, a new address object, namely a host create command, is needed to be used; whether the number of object groups of the source address in the strategy reaches a threshold value is also required to be judged, if so, when a component strategy command is received, a newly-built strategy, namely a policy create command, is required to be used, and the object group which is newly built is put into the newly-built strategy source address; if not, only adding a newly-built object group in the source address of the latest strategy, namely using the policy add command.
In the embodiment of the invention, the data and defense strategy recording is carried out aiming at the processed network abnormal behaviors, and when the same network abnormal behaviors are detected again, the judgment and the identification can be immediately carried out without setting the defense strategy. The method comprises the steps of recording a source IP which has issued a defense strategy, and respectively storing the source IP in a MySQL database 'strategy forbidden record data table' and a cache library Redis. Details of the source IP strategy are stored in the MySQL database, and the details comprise the source IP, the security defense equipment IP, the strategy name, the object group name, the time and the like, so that the strategy command blocking judgment is facilitated; the cache library Redis stores the processing state of the network abnormal access source IP, when the abnormal access behavior of the same source IP is detected again, repeated judgment and processing are not needed, and resources are saved.
The embodiment of the invention also comprises the step of detecting the effective state of the network abnormal access behavior source IP in the security defense equipment, and issuing the defense strategy again if the network abnormal access behavior source IP does not take effect or the strategy construction fails.
Another embodiment of the present invention provides an apparatus for handling network abnormal behavior, including:
the acquisition module is used for acquiring logs of the safety early warning equipment, identifying untrusted network access behavior data, extracting key information of access behaviors from the data, and formatting, removing duplication, converting and persisting the key information data.
And the matching module sets a matching rule of the abnormal network behavior, scans early warning data of the network access behavior in real time according to the set matching rule and performs rule matching.
And the linkage module is used for automatically assembling and issuing a defense strategy command according to the local database blocking record and the strategy command of the safety defense equipment, remotely linking the safety defense equipment and generating an effective defense strategy.
The system also comprises a recording module which is used for recording data and defense strategies according to the processed network abnormal behaviors, and when the same network abnormal behaviors are detected again, the data and the defense strategies can be immediately judged and identified without setting the defense strategies.
It is to be noted that the apparatus embodiment corresponds to the method embodiment, and the implementation manners of the method embodiment are all applicable to the apparatus embodiment and can achieve the same or similar technical effects, so that the details are not described herein.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (12)

1. A method for handling network abnormal behaviors is characterized by comprising the following steps:
extracting key information of the untrusted network access behavior from a safety early warning device log;
matching the extracted key information according to a set network abnormal behavior matching rule, and identifying the network abnormal behavior;
and issuing a defense strategy command aiming at the network abnormal behavior linkage safety defense equipment.
2. The method for handling the network abnormal behavior according to claim 1, wherein the extracting key information of the untrusted network access behavior from the security early warning device log comprises:
collecting a safety early warning device log;
identifying network access behavior data in the log which is judged to be untrusted;
extracting key information from untrusted network access behavior data, wherein the key information comprises at least: source IP, destination IP, attack mode, early warning level, attack result and attack time.
3. The method for handling network abnormal behavior according to claim 2, further comprising,
merging key information of a homologous IP, a same-purpose IP and a same attack mode into one piece of data within set time;
converting digital indexes of attack modes, early warning levels and attack results in the key information into specific character contents, converting attack time into a character time format, and inquiring a local IP home location library according to a source IP to obtain a source IP home location;
storing the key information after format conversion in a relational database, wherein the network access behavior key information in an untreated state is stored in an early warning database.
4. The method for handling network abnormal behavior according to claim 3, wherein the matching extracted key information comprises:
scanning an early warning database, and matching the network access behavior key information in the non-processing state according to a preset network abnormal behavior matching rule;
and for the key information successfully matched, judging that the corresponding network access behavior is the network abnormal behavior.
5. The method for handling network abnormal behavior according to claim 4, wherein the network abnormal behavior matching rule comprises:
rule one is as follows: matching the attack result in the key information with the access result of the early warning data of the safety equipment, and if the attack result is consistent with the access result of the early warning data of the safety equipment, successfully matching;
rule two: matching and judging source IPs in the key information, and if the key information source IPs are monitored by more than a preset number of safety early warning devices within a set time range and are not trusted, successfully matching;
rule three: matching and judging a source IP in the key information, and if the number of times of the untrusted network access behaviors of the key information source IP monitored by the current safety early warning equipment in a set time range exceeds a preset threshold value, successfully matching;
rule four: matching and judging the early warning levels in the key information, and if the early warning levels are within a preset early warning level range, the matching is successful;
rule five: matching and judging the source IP in the key information, judging whether the source IP is an overseas IP alarm or not, and if so, successfully matching;
rule six: and matching and judging the source IP in the key information, inquiring the level of the source IP intelligence through an intelligence center, and if the level of the intelligence is within the range of the preset level of the intelligence, successfully matching.
6. The method for handling network abnormal behavior according to claim 5, wherein the set network abnormal behavior matching rule is at least one of six rules,
and in the rule matching process, matching is performed according to the rule I to the rule VI in sequence.
7. The method for handling the network abnormal behavior according to claim 1, wherein the issuing a defense policy command for the network abnormal behavior linked security defense device comprises:
acquiring the type of safety defense equipment needing linkage according to the type of early warning equipment to which the network abnormal behavior belongs, wherein the network attack early warning equipment is in data linkage with safety access control equipment, and the terminal is accessed into the early warning equipment and is in data linkage with the early warning equipment;
retrieving a strategy forbidden record data table of security defense equipment needing linkage in a MySQL database;
establishing a strategy command according to the data records acquired from the strategy forbidden record data table;
and acquiring the information of the security defense equipment, remotely linking the security defense equipment, and issuing a built strategy command.
8. The method for handling network abnormal behavior according to claim 7,
if the security defense equipment needing linkage is security access control equipment, acquiring the number of the latest defense strategy source address objects, the object group names and the number of the IP in the group from the strategy forbidden record data table; and if the security defense equipment needing linkage is terminal access early warning equipment, acquiring a terminal access certificate from the strategy forbidden recording data table.
9. The method for handling network abnormal behavior according to claim 8, further comprising,
judging whether the number of the IP in the current object group reaches a threshold value or not according to the number of the source address objects, the object group names and the number of the IP in the group of the latest defense strategy, if not, putting the source IP needing to be sealed into the current latest object group when a strategy command is established; if so, an object group is required to be newly built, whether the number of the object groups of the source address reaches a threshold value is judged, if so, a policy is required to be newly built, the newly built object group is put into the newly built policy source address, and if not, the newly built object group is put into the current policy source address.
10. The method for handling network abnormal behavior according to claim 1, further comprising,
recording the source IP which has issued the defense strategy, and respectively storing the source IP in a relational database and a cache; the relational database stores a source IP, a security defense device IP, a strategy name, an object group name and time; the cache library stores the processing state of the network abnormal access behavior source IP, and when the network abnormal access behavior of the same source IP is detected again, repeated judgment and processing are not needed.
11. An apparatus for handling network abnormal behavior, comprising:
the acquisition module is used for extracting key information of the untrusted network access behavior from the safety early warning device log;
the rule module is used for matching the extracted key information according to a set network abnormal behavior matching rule and identifying the network abnormal behavior;
and the number of the first and second groups,
and the linkage module is used for linking the security defense equipment according to the abnormal network behavior and issuing a defense strategy command.
12. The apparatus for handling network abnormal behavior according to claim 11, further comprising,
and the recording module is used for recording the IP (Internet protocol) of the network abnormal behavior source which has issued the defense strategy and the disposal state.
CN202110861793.6A 2021-07-29 2021-07-29 Method and device for handling network abnormal behaviors Active CN113596028B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110861793.6A CN113596028B (en) 2021-07-29 2021-07-29 Method and device for handling network abnormal behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110861793.6A CN113596028B (en) 2021-07-29 2021-07-29 Method and device for handling network abnormal behaviors

Publications (2)

Publication Number Publication Date
CN113596028A true CN113596028A (en) 2021-11-02
CN113596028B CN113596028B (en) 2023-06-30

Family

ID=78251634

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110861793.6A Active CN113596028B (en) 2021-07-29 2021-07-29 Method and device for handling network abnormal behaviors

Country Status (1)

Country Link
CN (1) CN113596028B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115051830A (en) * 2022-04-29 2022-09-13 国网浙江省电力有限公司宁波供电公司 Electric power target range hidden danger data safety monitoring system and method
CN115189926A (en) * 2022-06-22 2022-10-14 北京天融信网络安全技术有限公司 Network flow detection method, network flow detection system and electronic equipment
CN115314252A (en) * 2022-07-06 2022-11-08 北京神州慧安科技有限公司 Protection method, system, terminal and storage medium applied to industrial firewall
CN114257415B (en) * 2021-11-25 2024-04-30 中国建设银行股份有限公司 Network attack defending method, device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180131720A1 (en) * 2016-11-08 2018-05-10 Massachusetts Institute Of Technology Dynamic flow system
CN110855697A (en) * 2019-11-20 2020-02-28 国网湖南省电力有限公司 Active defense method for network security in power industry
CN111641591A (en) * 2020-04-30 2020-09-08 杭州博联智能科技股份有限公司 Cloud service security defense method, device, equipment and medium
US20200329072A1 (en) * 2019-04-11 2020-10-15 Level 3 Communications, Llc System and method for utilization of threat data for network security
CN111935074A (en) * 2020-06-22 2020-11-13 国网电力科学研究院有限公司 Integrated network security detection method and device
CN112468472A (en) * 2020-11-18 2021-03-09 中通服咨询设计研究院有限公司 Security policy self-feedback method based on security log association analysis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180131720A1 (en) * 2016-11-08 2018-05-10 Massachusetts Institute Of Technology Dynamic flow system
US20200329072A1 (en) * 2019-04-11 2020-10-15 Level 3 Communications, Llc System and method for utilization of threat data for network security
CN110855697A (en) * 2019-11-20 2020-02-28 国网湖南省电力有限公司 Active defense method for network security in power industry
CN111641591A (en) * 2020-04-30 2020-09-08 杭州博联智能科技股份有限公司 Cloud service security defense method, device, equipment and medium
CN111935074A (en) * 2020-06-22 2020-11-13 国网电力科学研究院有限公司 Integrated network security detection method and device
CN112468472A (en) * 2020-11-18 2021-03-09 中通服咨询设计研究院有限公司 Security policy self-feedback method based on security log association analysis

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257415B (en) * 2021-11-25 2024-04-30 中国建设银行股份有限公司 Network attack defending method, device, computer equipment and storage medium
CN115051830A (en) * 2022-04-29 2022-09-13 国网浙江省电力有限公司宁波供电公司 Electric power target range hidden danger data safety monitoring system and method
CN115051830B (en) * 2022-04-29 2023-12-26 国网浙江省电力有限公司宁波供电公司 Electric power target range hidden danger data safety monitoring system and method
CN115189926A (en) * 2022-06-22 2022-10-14 北京天融信网络安全技术有限公司 Network flow detection method, network flow detection system and electronic equipment
CN115189926B (en) * 2022-06-22 2024-01-26 北京天融信网络安全技术有限公司 Network traffic detection method, network traffic detection system and electronic equipment
CN115314252A (en) * 2022-07-06 2022-11-08 北京神州慧安科技有限公司 Protection method, system, terminal and storage medium applied to industrial firewall

Also Published As

Publication number Publication date
CN113596028B (en) 2023-06-30

Similar Documents

Publication Publication Date Title
CN110149350B (en) Network attack event analysis method and device associated with alarm log
CN109995796B (en) Industrial control system terminal safety protection method
CN113596028A (en) Method and device for handling network abnormal behaviors
CN109739203B (en) Industrial network boundary protection system
CN109976239B (en) Industrial control system terminal safety protection system
CN111245793A (en) Method and device for analyzing abnormity of network data
CN110958262A (en) Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry
WO2000054458A1 (en) Intrusion detection system
KR20000072707A (en) The Method of Intrusion Detection and Automatical Hacking Prevention
CN110896386B (en) Method, device, storage medium, processor and terminal for identifying security threat
CN114598525A (en) IP automatic blocking method and device for network attack
CN114826880B (en) Data safety operation on-line monitoring system
CN111835680A (en) Safety protection system of industry automatic manufacturing
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN113364799A (en) Method and system for processing network threat behaviors
CN113411295A (en) Role-based access control situation awareness defense method and system
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN116827675A (en) Network information security analysis system
CN114143064A (en) Multi-source network security alarm event tracing and automatic processing method and device
CN113364745A (en) Log collecting and analyzing processing method
CN110378115B (en) Data layer system of information security attack and defense platform
Asiri et al. Investigating usable indicators against cyber-attacks in industrial control systems
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
CN110417578B (en) Abnormal FTP connection alarm processing method
CN115694928A (en) Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant